AWS App Mesh
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Policy Structure

The following topics explain the structure of an IAM policy.

Policy Syntax

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows.

{ "Statement":[{ "Effect":"effect", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] }

The following elements make up a statement:

  • Effect – The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action – The action is the specific API action that you're granting or denying permission for.

  • Resource – The resource that is affected by the action. App Mesh API operations currently don't support resource-level permissions, so you must use the * wildcard to specify that all resources can be affected by the action.

  • Condition – Conditions are optional. They can be used to control when your policy is in effect.

For more information about example IAM policy statements for App Mesh, see Creating App Mesh IAM Policies.

Actions for App Mesh

In an IAM policy statement, you can specify any API action from any service that supports IAM. For App Mesh, use the following prefix with the name of the API action: appmesh:. For example: appmesh:CreateMesh and appmesh:DeleteMesh.

To specify multiple actions in a single statement, separate them with commas as follows.

"Action": ["appmesh:action1", "appmesh:action2"]

You can also specify multiple actions using wildcards. For example, you can specify all actions whose name begins with the word "Describe" as follows.

"Action": "appmesh:Describe*"

To specify all App Mesh API actions, use the * wildcard as follows.

"Action": "appmesh:*"

For a complete list of actions, see Actions Defined by AWS App Mesh.

Checking That Users Have the Required Permissions

After you have created an IAM policy, we recommend that you check whether it grants users the permissions to use the particular API actions and resources that they need. Do this before you put the policy into production.

First, create an IAM user for testing purposes and then attach the IAM policy that you created to the test user. Then make a request as the test user. You can make test requests in the console or with the AWS CLI.


You can also test your policies with the IAM Policy Simulator. For more information on the policy simulator, see Working with the IAM Policy Simulator in the IAM User Guide.

If the policy doesn't grant the user the permissions that you expected or is overly permissive, you can adjust the policy as needed. Retest until you get the desired results.


It can take several minutes for policy changes to propagate before they take effect. We recommend that you allow 5 minutes to pass before you test your policy updates.

If an authorization check fails, the request returns an encoded message with diagnostic information. You can decode the message using the DecodeAuthorizationMessage action. For more information, see DecodeAuthorizationMessage in the AWS Security Token Service API Reference, and decode-authorization-message in the AWS CLI Command Reference.